中兴微 zxic 随身wifi UZ901 固件分析(一)

开adb

# 解锁MF79U简单的步骤,所需资源均可在此下载:https://qyyd5g.top/中兴4G-5G路由刷机工具分享/

1. 运行 【SCSI.exe 即中兴mifi/ufi/卡托打开端口的工具】,运行完成后设备管理器里面会多两个未知的【DEMO Mobile Broadband】设备

网上查询的办法,没好用。。。

http://192.168.100.1/goform/goform_set_cmd_process?goformld=SET_DEVICE_MODE&debug_enable= 1
http://192.168.100.1/reqproc/proc_post?goformld=SET_DEVICE_MODE&debug_enable=1

开adb的接口,实测V1.4 V2.1版本可用。

adb shell 进入系统

❯ adb shell

BusyBox v1.21.0 (2024-03-25 11:28:45 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/mtdblock4            2.5M      2.5M         0 100% /
mtd:imagefs               4.0M      4.0M         0 100% /mnt/imagefs
/dev/mtdblock5          512.0K    152.0K    360.0K  30% /mnt/userdata
/dev/mtdblock1          224.0K    160.0K     64.0K  71% /mnt/nvrofs
~ #
~ # cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00008000 00008000 "zloader"
mtd1: 00038000 00008000 "nvrofs"
mtd2: 00028000 00008000 "uboot"
mtd3: 00400000 00008000 "imagefs"
mtd4: 00318000 00008000 "rootfs"
mtd5: 00080000 00008000 "userdata"
~ #
~ # cat /proc/cmdline
root=/dev/mtdblock4 rootfstype=squashfs console=ttyS1,921600 no_console_suspend mtdparts=spi-nor-dt:32k@0x0(zloader),224k@0x8000(nvrofs),160k@0x40000(uboot),4m@0x68000(imagefs),3168k@0x468000(rootfs),512k@0x780000(userdata) boot_reason=0 system=normal
~ #
~ # cat /proc/cpuinfo
Processor   : ARMv7 Processor rev 4 (v7l)
BogoMIPS    : 620.54
Features    : swp half thumb fastmult edsp tls
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part    : 0xd03
CPU revision    : 4

Hardware    : TSP ZX297520V3
Revision    : 0000
Serial      : 0000000000000000
~ #
~ # free -m
             total       used       free     shared    buffers     cached
Mem:            21         19          2          0          1          4
-/+ buffers/cache:         13          8
Swap:            0          0          0
~ #
~ # uname -a
Linux DEMO 3.4.110-rt140 #2 PREEMPT RT Mon Mar 25 11:21:39 CST 2024 armv7l GNU/Linux
~ #
~ # cat /proc/version
Linux version 3.4.110-rt140 (SCM@ZTE) (gcc version 4.9.4 (Buildroot 2015.08.1-svn2614) ) #2 PREEMPT RT Mon Mar 25 11:21:39 CST 2024
~ #

启动过程

/etc # cat inittab
::sysinit:/etc/rc
::respawn:-/bin/login

/etc # cat rc
#!/bin/sh

/bin/mount -t proc proc /proc

echo "Starting mdevd..."
/bin/mount -t tmpfs mdev /dev
/bin/mount -t sysfs sysfs /sys
echo /sbin/mdev > /proc/sys/kernel/hotplug


/bin/mount   -t  tmpfs   tmpfs    /tmp
mkdir /dev/pts
/bin/mount   -t  devpts  devpts   /dev/pts
/bin/mount   -t  debugfs none     /sys/kernel/debug
mount -t jffs2 -o ro mtd:imagefs /mnt/imagefs
mdev -s
fs_check "normal"


echo 80 > /proc/sys/vm/swappiness
echo 12582912 > /sys/block/zram0/disksize
mkswap /dev/zram0
swapon /dev/zram0

mkdir -p /mnt/userdata/cache /mnt/userdata/etc_rw /mnt/userdata/var
echo 1 > /proc/sys/kernel/sysentry

ln -s /tmp /tmp/local
ln -s /tmp /tmp/tmp

mkdir -p /tmp/mnt

mkdir -p /var/local/tmp/ppp/status
mkdir -p /var/local/tmp/ppp/peers

mkdir -p /var/run
mkdir -p /var/log
mkdir -p /var/db
mkdir -p /var/ct/tmp

if [ ! -e /etc_rw/TZ ];then
    cp /etc/TZ /etc_rw/TZ
fi

echo 32768 > /proc/sys/kernel/msgmnb
ifconfig lo 127.0.0.1 up

KVER=`uname -r`

mknod /dev/myioctl   c 222 0

MODULE_PATH=/lib/modules/$KVER/net

if [ -f $MODULE_PATH/nf_conntrack_rtsp.ko ]; then
    insmod $MODULE_PATH/nf_conntrack_rtsp.ko
fi
if [ -f $MODULE_PATH/nf_nat_rtsp.ko ]; then
    insmod $MODULE_PATH/nf_nat_rtsp.ko
fi
if [ -f $MODULE_PATH/ipt_classify.ko ]; then
    insmod $MODULE_PATH/ipt_classify.ko
fi
if [ -f $MODULE_PATH/xt_webstr.ko ]; then
    insmod $MODULE_PATH/xt_webstr.ko
fi

SOUND_PATH=/lib/modules/$KVER/kernel/sound
if [ -f /lib/modules/$KVER/kernel/drivers/base/regmap/regmap-i2c.ko ]; then
    insmod /lib/modules/$KVER/kernel/drivers/base/regmap/regmap-i2c.ko
fi
if [ -f $SOUND_PATH/soundcore.ko ]; then
    insmod $SOUND_PATH/soundcore.ko
fi
if [ -f $SOUND_PATH/core/snd.ko ]; then
    insmod $SOUND_PATH/core/snd.ko
fi
if [ -f $SOUND_PATH/core/snd-timer.ko ]; then
    insmod $SOUND_PATH/core/snd-timer.ko
fi
if [ -f $SOUND_PATH/core/snd-page-alloc.ko ]; then
    insmod $SOUND_PATH/core/snd-page-alloc.ko
fi
if [ -f $SOUND_PATH/core/snd-pcm.ko ]; then
    insmod $SOUND_PATH/core/snd-pcm.ko
fi
if [ -f $SOUND_PATH/soc/snd-soc-core.ko ]; then
    insmod $SOUND_PATH/soc/snd-soc-core.ko
fi
if [ -f $SOUND_PATH/soc/codecs/snd-soc-tlv320aic31XX.ko ]; then
    insmod $SOUND_PATH/soc/codecs/snd-soc-tlv320aic31XX.ko
fi
if [ -f $SOUND_PATH/soc/sanechips/snd-soc-zx29-i2s.ko ]; then
    insmod $SOUND_PATH/soc/sanechips/snd-soc-zx29-i2s.ko
fi
if [ -f $SOUND_PATH/soc/sanechips/snd-soc-zx29-pcm.ko ]; then
    insmod $SOUND_PATH/soc/sanechips/snd-soc-zx29-pcm.ko
fi
if [ -f $SOUND_PATH/soc/sanechips/snd-soc-zx297520v3-ti3100.ko ]; then
    insmod $SOUND_PATH/soc/sanechips/snd-soc-zx297520v3-ti3100.ko
fi


echo 2048 > /proc/sys/vm/min_free_kbytes
echo 2 > /proc/sys/vm/min_free_order_shift


cmdline=$(cat /proc/cmdline)
result=$(echo $cmdline | grep "bootmode=")
if [[ "$result" != "" ]]; then
 bootmode=${cmdline##*bootmode=}
 bootmode=${bootmode%% *}
else
 bootmode="0"
fi
bootreason="${cmdline##*boot_reason=}"
bootreason=${bootreason%% *}

echo 0 > /etc_rw/wifiStatus
echo 0 > /etc_rw/wpsStatus
echo F > /etc_rw/staStatus
echo 0 > /etc_rw/qrStatus
echo 0 > /etc_rw/wpsdisplayStatus
zte_ufi $bootreason $bootmode &
nv set bootreason=$bootreason


if [[ $bootmode == "amt" ]]; then
 nv set ver_mode=0
zte_log_agent &

 zte_amt -p 10027 &


adbd &

 exit 0
fi

sim_select=$(nv get alk_sim_select)





modetype=$(nv getro usb_modetype)
nv set ver_mode=1


sysctl -w net.unix.max_dgram_qlen=5000



bootflag=$(nv get LanEnable)

if [[ $bootreason == "10" ]]; then
 nv set ver_mode=2
fi

if [[ $bootflag == "1" ]]; then
if [[ $bootreason == "2" ]]; then
 if [[ $modetype != "user" ]]; then
adbd &
fi
 exit 0
fi
fi



echo /sbin/modprobe -d /lib/modules/$KVER > /proc/sys/kernel/modprobe

echo 2 > /proc/sys/net/ipv6/conf/default/accept_dad
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

echo 1 > /proc/sys/vm/drop_caches

echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout

echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close

echo 40 > /proc/sys/net/netfilter/nf_conntrack_expect_max

echo 0 > /proc/sys/kernel/panic
echo 1 > /proc/sys/kernel/panic_on_oops
echo 2 > /proc/sys/vm/panic_on_oom

chmod a+rw /dev/android_adb /dev/ptmx
chmod 640  /etc/shadow



zte_log_agent &



if [[ $bootflag == "1" ]]; then
goahead &
fi

if [[ $modetype != "user" ]]; then
adbd &
fi

echo "Starting FOTA apps......!!"

if [[ $bootflag == "1" ]]; then
/sbin/start_telnetd.sh &
fi

netdog_init_set.sh

echo 0 > /proc/sys/kernel/hung_task_timeout_secs
rm -rf /etc_rw/udhcpd*.pid
sh /sbin/rm_dev.sh
echo 1800 > /sys/module/net_ext_modul/parameters/skb_num_limit
echo 700 > /sys/module/net_ext_modul/parameters/skb_max_panic
echo 2000 > /proc/sys/net/nf_conntrack_max

iccid_check &

echo alk_32k_lock > /sys/power/wake_lock
/etc #
©著作权归作者所有,转载或内容合作请联系作者
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。

推荐阅读更多精彩内容

  • Android - 收藏集
    用两张图告诉你,为什么你的 App 会卡顿? - Android - 掘金 Cover 有什么料? 从这篇文章中你...
    hw1212阅读 14,467评论 2 59
  • 谷歌相机教程和资源(原文来自酷安)
    谷歌相机教程,可能是最全的。 评论里相关教程已经很多了,基本能解决大部分问题,但本人还是想再写一篇。 1、如果你是...
    ns南笙微凉阅读 17,581评论 0 1
  • 爱鲜蜂产品分析
    前言 在三节课的课程作业中,需要根据爱鲜蜂的生命周期图,对其所处生命周期阶段进行判断,以及从拉新留存角度分析他们之...
    捍道阅读 5,114评论 2 1
  • MTK Camera 从底层到应用层一网打尽
    转载请注明出处(https://www.jianshu.com/p/5f538820e370),您的打赏是小编继续...
    福later阅读 28,889评论 8 73
  • 测试
    测试发现bug 开发不认为是bug的时候你怎么办? 1.1、首先明确开发说不是bug的理由。 1.2、如果是需求变...
    贩低阅读 3,764评论 0 0